references :
https://www.firebase.com/blog/2013-10-01-queries-part-one.html
https://www.firebase.com/blog/2014-01-02-queries-part-two.html
https://www.firebase.com/blog/2013-08-01-new-feature-improved-string-validation-in-security-rules.html
https://www.firebase.com/docs/security/rulesdatasnapshot/index.html
https://gist.github.com/katowulf/4741111
https://gist.github.com/katowulf/6158392
when
when
and we like each user read+write only to his key
and superadmin manipulate all records
when
only super admin writes at red rectangle, users can create node only in comp node and must contains adminID, also when editing the record inside comp, the rule checks that current logged userID equals with adminID field!
WARNING when make transaction with Firebase the adminID field must be text otherwise cant compare it!
https://www.firebase.com/blog/2013-10-01-queries-part-one.html
https://www.firebase.com/blog/2014-01-02-queries-part-two.html
https://www.firebase.com/blog/2013-08-01-new-feature-improved-string-validation-in-security-rules.html
https://www.firebase.com/docs/security/rulesdatasnapshot/index.html
https://gist.github.com/katowulf/4741111
https://gist.github.com/katowulf/6158392
when
JavaScript:
{
"rules": {
//when
".read": true,
".write": true,
//this rule doesnt take place!
"categories": {
".read": true,
".write": "auth.email == 'x@x.net'" //only super admin can write
}
}
}when
and we like each user read+write only to his key
JavaScript:
"companies" : {
"$user": {
".read": "$user == auth.id", //user can read his record only
".write": "$user == auth.id" //user can write his record only
}
},and superadmin manipulate all records
JavaScript:
"companies" : {
//only super admin can read/write anything in companies
".read": "auth.email == 'x@x.net'",
".write": "auth.email == 'x@x.net'",
"$user": {
".read": "$user == auth.id", //user can read his record only
".write": "$user == auth.id" //user can write his record only
}
},when
only super admin writes at red rectangle, users can create node only in comp node and must contains adminID, also when editing the record inside comp, the rule checks that current logged userID equals with adminID field!
WARNING when make transaction with Firebase the adminID field must be text otherwise cant compare it!
JavaScript:
"categories": {
".read": true,
".write": "auth.email == 'x@x.net'",
"$catKeyID": {
".read": true,
".write": "false",
"comp": {
".read": true,
".write": false ,
"$compKeyID": {
".validate": "(data.exists() && data.child('adminID').val()==auth.id) || (!data.exists() && newData.child('adminID').val()==auth.id)",
".read": true,
".write": true
}
},
}
}